Comment Articles

Security is about more than an image problem

Richard Forno ZDNet.com

Published: 21 Nov 2003 12:25 GMT

Microsoft recently announced rewards in exchange for information leading to the arrest and conviction of those who exploit its flagship Windows product through viruses, worms and other forms of malicious code.

After years of sitting idle, Microsoft is suddenly committed to improving security. Hence the company's mad rush to inject "security" into every product, speech and statement to reassure customers that Windows is still a worthy operating environment to purchase.

But rather than address its own problems, the company has decided to use creative marketing as a substitute for good security and software development. The problem isn't that virus writers are exploiting Windows; it's that Microsoft makes Windows easy to exploit by anyone with a modicum of programming know-how. Instead of accepting responsibility, the company is trying to pass the blame for such problems off onto others.

Creating a rewards programme is a clever, low-cost way of diverting public attention away from the many problems stemming from a history of exploit-friendly programming practices. Microsoft can avoid addressing the root causes that forced the creation of the rewards program while portraying itself as taking the moral high ground (albeit illusory) in its approach to proactive product security.

The rewards programme builds on the company's recent announcement to convert its traditional as-necessary security bulletin and patch-release process into a predictable monthly one. Interestingly, Microsoft's October 2003 white-paper discussion of the new security release process says this will make it easier for customers to stay current through a single cumulative monthly patch that fixes reported problems in Windows.

That sounds perfectly reasonable, until one reads that "Microsoft will make an exception to the above release schedule, if we determine that customers are at immediate risk from viruses, worms, attacks or other malicious activities. In such a situation, Microsoft may release security patches as soon as possible to help protect customers."